SecurityReason - Two heap overflow in libextractor 0.5.13 (rev 2832)

Advisory Text :

#######################################################################

Luigi Auriemma

Application: libextractor
http://gnunet.org/libextractor/
Versions: <= 0.5.13 (rev 2832)
Platforms: *nix, *BSD, Windows and more
Bugs: A] heap overflow in asfextractor
B] heap overflow in qtextractor
Exploitation: local
Date: 17 May 2006
Author: Luigi Auriemma
e-mail: aluigi (at) autistici (dot) org [email concealed]
web: aluigi.org

#######################################################################

1) Introduction
2) Bugs
3) The Code
4) Fix

#######################################################################

===============
1) Introduction
===============

libextractor is a library which allows to search meta-data in different
file formats.
It's used in some programs and it's required for GnuNET
(http://gnunet.org).

#######################################################################

=======
2) Bugs
=======

--------------------------------
A] heap overflow in asfextractor
--------------------------------

The demux_asf_t structure is allocated when the plugin is launched,
subsequently is performed a call to asf_read_header which reads all the
header of the input file arriving to the handling (depending by the
file) of GUID_ASF_STREAM_PROPERTIES and then CODEC_TYPE_AUDIO.
Here we have the arbitrary copying of an amount of data, specified by
the 32 bit numer called total_size, from the ASF file to the wavex
buffer of 1024*2 bytes.
The total_size value is read from the same file and no checks are
performed on its size so is possible to cause a heap overflow.

From src/plugins/asfextractor.c:

static int asf_read_header(demux_asf_t *this) {
...
total_size = get_le32(this);
stream_data_size = get_le32(this);
stream_id = get_le16(this); /* stream id */
get_le32(this);

if (type == CODEC_TYPE_AUDIO) {
ext_uint8_t buffer[6];

readBuf (this, (ext_uint8_t *) this->wavex, total_size);
...

-------------------------------
B] heap overflow in qtextractor
-------------------------------

An heap overflow exists also in the plugin which handles the QT/MOV
files.
The problem is located in the parse_trak_atom function and is caused by
the allocation of a buffer using a specific amount of bytes chosen by
the attacker on which is then called memcpy using another amount of
data provided ever by the same input file.

From src/plugins/qtextractor.c:

static qt_error parse_trak_atom (qt_trak *trak,
unsigned char *trak_atom) {
...
trak->stsd_size = current_atom_size;
trak->stsd = realloc (trak->stsd, current_atom_size);
memset (trak->stsd, 0, trak->stsd_size);

/* awful, awful hack to support a certain type of stsd atom that
* contains more than 1 video description atom */
if (BE_32(&trak_atom[i + 8]) == 1) {
/* normal case */
memcpy (trak->stsd, &trak_atom[i], current_atom_size);
hack_adjust = 0;
} else {
/* pathological case; take this route until a more definite
* solution is found: jump over the first atom video
* description atom */

/* copy the first 12 bytes since those remain the same */
memcpy (trak->stsd, &trak_atom[i], 12);

/* skip to the second atom and copy it */
hack_adjust = BE_32(&trak_atom[i + 0x0C]);
memcpy(trak->stsd + 12, &trak_atom[i + 0x0C + hack_adjust],
BE_32(&trak_atom[i + 0x0C + hack_adjust]));
...

#######################################################################

===========
3) The Code
===========

http://aluigi.org/poc/libextho.zip

#######################################################################

======
4) Fix
======

The bug in the ASF plugin has been fixed in revision 2827 while that in
QT in 2833.

#######################################################################

---
Luigi Auriemma
http://aluigi.org
http://mirror.aluigi.org